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WHAT IS CLAIMED IS: 

1. An Authentication, Authorization, and Accounting .(AAA) server in a packet 
data network comprising: 

means for authenticating a user; 

means for authorizing a sen/ice for the user when the user accesses the network; 

and 

means for generating a session identity, said session identity comprising a unique 
random value that is opaque, unpredictable, and not simultaneously re-usable, wherein the 
means for generating a session identity includes means for structuring the session identity 
to include an identifier of the AAA server, said AAA server identifier being usable to route 
queries containing the AAA server identifier to the AAA server. 

2. The AAA server of claim 1 , further comprising: 

means for extracting from a session identity received in a query, an AAA server 
identifier for another AAA server in the packet data network; and 

means for routing the query to the other AAA server based on the extracted AAA 
server identifier. 

3. The AAA server of claim 1, wherein the means for generating a session 
identity includes means for structuring the session identity to include a session reference 
(session_ref) and a realm identifier (realmjd). 

4. The AAA server of claim 3, wherein the means for generating a session 
identity includes means for encoding the session reference such that the form of the 
session identity is: encoded session_ref."@". realmjd, where "." indicates concatenation. 
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5. The AAA server of claim 3, wherein the means for generating a session 
identity includes: 

means for encoding the session reference; and 

means for appending the realm identifier to the encoded session reference such that 
the form of the session identity is: encoded session_ref.realm_id. 

6. The AAA server of claim 3, wherein the means for generating a session 
identity includes: 

means for encoding the session reference; and 

means for appending the encoded session reference to the realm identifier such that 
the form of the session identity is: realm_id. encoded sessionjef. 

7. The AAA server of claim 3, wherein the means for generating a session 
identity includes: 

means for encrypting the session reference and the realm identifier; and 
means for encoding the encrypted session reference and realm identifier such that 
the form of the session identity is: encoded(encrypt(session_ref.realm_id)). 

8. The AAA server of claim 3, wherein the means for generating a session 
identity includes means for concatenating the session reference with the realm identifier 
and a Keyed-Hasing Message Authentication Code (HMAC). 

9. The AAA server of claim 8, wherein the means for generating a session 
identity also includes means for encoding the concatenated session reference, realm 
identifier, and HMAG such that the form of the session identity is: 
encoded(session_ref.realm_id.HMAC). 
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10. The AAA server of claim 9, wherein the means for generating a session 
identity also includes means for encrypting the concatenated session reference, realm 
identifier, and HMAC prior to encoding such that the form of the session identity is: 
encoded(encrypt(session_ref.realm_id.HMAC)). 

11. In a packet data network having a plurality of Authentication, Authorization, 
and Accounting (AAA) servers, a system for routing queries to an appropriate AAA server, 
said system comprising: 

means for assigning a realm identifier to each of the plurality of AAA servers; 

means for creating a master session in a given AAA server; 

means within the given AAA server for generating a master session identity that 
includes a session reference and the realm identifier assigned to the given AAA server; and 

means within the network for routing queries based on the master session identity to 
the given AAA server. 

12. The system of claim 11, wherein the means within the network for routing 
queries includes a load balancer that receives queries based on the master session identity 
and sends the queries to a randomly selected AAA server, wherein the selected AAA 
server includes: 

means for determining whether a received query is for the selected server; 

a routing table for identifying the appropriate AAA server based on the realm 
identifier in the master session identity; and 

means for routing the queries to the identified appropriate AAA server, upon 
determining that the received query is not for the selected server. 

13. The system of claim 11, wherein the means within the network for routing 
queries includes a specialized AAA server that receives queries based on the master 
session identity and routes the queries to the appropriate AAA server, said specialized AAA 
server including: 
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a routing table for identifying the appropriate AAA server based on the realm 
identifier in the master session identity; and 

means for routing the queries to the identified appropriate AAA server. 

14. The system of claim 11, wherein the means for generating a master session 
identity also includes encoding means and encrypting means for encoding and encrypting 
the master session identity. 

15. The system of claim 11, wherein the means for generating a master session 
identity also includes encoding means for encoding the master session identity, and the 
system further comprises a border gateway that encrypts the encoded master session 
identity when the border gateway sends the master session identity to a user's browser. 

16. In a packet data network having a plurality of Authentication, Authorization, 
and Accounting (AAA) servers, a method of routing queries to an appropriate AAA server, 
said method comprising the steps of: 

assigning a realm identifier to each of the plurality of AAA servers; 
creating a master session in a given AAA server; 

generating by the given AAA server, a master session identity that includes a 
session reference and the realm identifier assigned to the given AAA server; and 

routing queries containing the master session identity to the given AAA server. 

17. The method of claim 16, wherein the step of routing queries includes the 
steps of: 

configuring each of the AAA servers with routing tables for identifying the 
appropriate AAA server based on the realm identifier in the master session identity; 
receiving a query based on the master session identity in a load balancer; 
sending the query from the load balancer to a randomly selected AAA server; 
determining in the selected AAA server, whether a received query is for the selected 

server; 
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if the query is not for the selected AAA server, identifying the appropriate AAA server 
utilizing the selected AAA server's routing table; and 

routing the query from the selected AAA server to the identified appropriate AAA 

server. 

18. The method of claim 17, wherein the step of determining in the selected AAA 
server, whether a received query is for the selected server includes the steps of: 

extracting a realm identifier from the master session identity received in the query; 

and 

determining whether the extracted realm identifier matches the realm identifier 
assigned to the selected AAA server. 

19. The method of claim 16, wherein the step of routing queries includes the 
steps of: 

receiving a query based on the master session identity in a specialized AAA server 
configured with a routing table that matches realm identifiers with AAA servers; 

identifying by the specialized AAA server, the appropriate AAA server based on the 
realm identifier in the master session identity; and 

routing the query to the identified appropriate AAA server. 

20. The method of claim 16, wherein the step of generating a master session 
identity includes encoding and encrypting the master session identity. 

21. The method of claim 16, wherein the step of generating a master session 
identity includes encoding the master session identity, and the method further comprises 
encrypting the encoded master session identity in a border gateway when the border 
gateway sends the master session identity to a user's browser. 
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22. The method of claim 16, wherein the step of generating a master session 
identity includes encoding the master session identity and adding a cyclical redundancy 
check (CRC) value, and the method further comprises verifying in a border gateway, an 
Internet Protocol (IP) address of a client sending a query to the given AAA server. 

23. In a packet data network having a plurality of Authentication, Authorization, 
and Accounting (AAA) servers, a method of routing queries to an appropriate AAA server, 
said method comprising the steps of: 

randomly generating in each of the plurality of AAA servers, a fixed-length realm 
identifier that uniquely identifies each generating AAA server; 
creating a master session in a given AAA server; 

generating by the given AAA server, a master session identity that includes a 
session reference and the realm identifier that identifies the given AAA server; and 

routing queries containing the master session identity through the network to the 
given AAA server. 
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